LENS 2023 | Ethics and the New Technologies of War: AI and Cyber
well ladies and gentlemen and thank you so much for completing the journey with us and we still have one more fabulous presentation to go and it I think it's really important because we are the center on law ethics and National Security and we're going to hear uh a real expert talk about those things and I'll tell you Tim I I knew you I've kind of known to Tim from his writings and some other things but this is the first time I really focused on this bio and it's really he's scary smart you know he was summa laude from Creighton with a Bachelor of Science in mathematics okay one of the reasons I'm a lawyer is mathematics and that's not because I was good at it and he has he graduated from laude from Baylor uh School of Law he also has a masters of law degree in cyberspace and telecommission Communications law from the University of Nebraska he has a masters of arts and operational military art with highest distinction from Air Command and staff college and he is a professor a senior military faculty and assistant professor of law United States Air Force Academy Tim it's so so great to have you here without further Ado let's let's get started [Applause] well I'm either your favorite speaker um or your least favorite I'm either the person standing in your way getting home or I'm the person who is bringing uh clothes to this wonderful conference um either way we are in it for the next hour together as we uh figure out uh how to get this professional responsibility our uh or as the lawyers call it our ethics CLE uh well first of all I'd like to thank General Dunlap for inviting me out here I'd like to thank joy and Professor or general Dunlap for the hospitality they've shown it's been fantastic and I'd like to thank Duke Law School for putting on this conference it's been a pleasure for me sitting back in the speaker room watching all the speakers um and for meeting all the wonderful people that have spoken at this conference now I thought it apropos for me not to write my own introduction but rather have chat GPT write it I thought about giving it the whole speech uh but I thought that might be a little too long and after I read it I didn't love it so I asked instead for a little bit of levity I asked for a funny intro so so here we go straight from GPT ladies and gentlemen welcome to today's uh lecture on the legal professional responsibility issues with cyber and artificial intelligence it's an exciting time to be a lawyer not only do you have to keep up with the ever-changing laws but now you also have to keep up with the machines that are taking over the world just kidding but only partially with the rise of AI and Automation in the legal industry it's more important than ever to understand the ethical and professional responsibilities that come with using these Technologies in this lecture we'll discuss the implications of AI and cyber Technologies on the legal practice so let's get ready to talk about robots Justice and how to keep them from turning against us so that's not bad I also asked chat GPT if it could tell me a funny AI joke so let's see how this goes over uh if an AI simulation of a pop singer performs all over the world does that mean she passes the touring test okay that's pretty good reaction you guys gotta get it all right yeah for those of you that didn't get it you know that the Turing test named for Alan Turing of imitation game Fame uh is actually a test that we try to measure uh the ability for for a computer to speak or to think for itself and to replicate what a what a human might do and so if it passes a Turing test then it passes sort of meets this sufficiency and so now you can understand the tour it's a playoff never mind okay I'll move on all right so um as chat GPT mentioned uh the world is getting more technological um and as the world gets more technological uh I don't have to tell this crowd the computers are becoming more and more ubiquitous in military operations uh at headquarters here attack p is actually testing computer for close if we're calling in close air support and as a result the battlefield is similarly becoming a more technical one uh the next step in this evolution is autonomous weapons drones affixed to cameras that are able to not only identify targets but also distinguish between targets and engage them uh these weapons are powerful and that's just the tip of the iceberg artificial intelligence while being able to use as an autonomous weapon also has the ability to train and test pilots on how to engage in dogfighting techniques and how to perfect them uh they as it has the ability to make strategic recommendations to actually sift through petabytes of intelligence surveillance and reconnaissance data and identify targets and be able to select those targets and do an analysis of whether or not they are lawful artificial intelligence has the capacity to change the battle space in ways that we can't even imagine and as the technology gets more and more sophisticated how do we as lawyers advise on these new weapons of war as lawyers many of us spend our practice and even May stand up here at this stage one day and say that we are not mathematicians we are not Engineers we are not programmers and all I'm here to say to you all is that while that is true we also have an ethical obligation to learn these Technologies to learn how they work so we can better advise our clients on their legal implications and they tend to ignore us because they don't understand international law or they don't understand the finer points of proportionality precautions or distinction they often just want either a yes or no answer and as a result of this a gap is created a gap exists between the technical operators as well as the lawyers and this is unacceptable Gap we need to develop these capabilities with the law in mind and the lawyers need to be there at the outset to make sure that the engineers understand international law and can bake it into the process from the beginning we need the lawyers who can understand technically what's going on so that they can advise on how to make the technical ability or technical aspects of Suites more legally compliant and exists outside of artificial intelligence it exists outside of cyber it exists within space exists within autonomous weapons with even Quantum computing now some of you might be saying well I'm the generation the older generation I don't need necessarily to understand these things the next generation is coming along and they have grown up with computers they get this so Colonel Goins thank you for this but it's about 20 years too late I will say I've got news for you our generation and the generations that have come before me do not have a monopoly on not understanding how computers work I work with undergrads at the United States Air Force Academy and I can tell you that they know how to use a computer for the most part but they don't necessarily have the interest to figuring out why they do what they do and how they do what they do so I believe it actually applies to all generations equally so my thesis today is that understanding technology is an ethical imperative for practitioners and policy makers in the realm of National Security in other words we can't just keep our heads in the sand and while the attorney doesn't have to be qualified to design the system some familiarity with the technology will help them keep up with the conversation and be better lawyers now I think you might all go with me on this you've you're at this particular conference you've stayed this far so I hope you realize that Technologies are important in understanding how Technologies work that said in case you need uh reasons I've got two for you first there's a practical reason on why you want to understand the technology for example if you don't know how a cyber exploit Works how would you be able to advise a cyber operator how uh how do it lawfully how it what rules it has to comply with or whether you could actually deduce if it complies with domestic international law or the authorities that have been granted to you for example the not Petty attack if you're familiar with this this was a launch or an attack launched by Russia against the Ukrainian financial sector in 2017. it's considered to be the most devastating Cyber attack in history it was a piece of software that combined actually two hacks uh in one that would lock down a computer's Master boot record uh it was sort of looked a lot like petja which is why it's called non-petya um but it had one key difference it looked like ransomware and as you know ransomware is a is a type of malicious code that actually locks down the computer and then somebody has to pay a ransom to unlock it well with not petia there was no unlock feature and as a result it was there just simply to destroy the content on the machine now the reason that it was so devastating was because it was indiscriminate it was aimed towards towards the Ukrainian financial sector but it actually went all over the world from uh from a suite or a Chocolate Factory in Tasmania to a hospital in Pennsylvania and unlike other operations like stuxnet for example the code made no attempt to distinguish between computers that were targeted what we consider lawful targets or computers that are not targeted now admittedly this was from Russia and so maybe they had no interest in making it discriminate that said the lesson we can glean from it is the fact that a cyber operation can be absolutely devastating and what we've learned in coupling with stuxnet is that can actually be discriminant and it's up to the lawyers to be able to be there to understand how it works and be able to advise on it and there's examples that's just one from sort of the law of armed conflict the examples in the civilian sector abound there's a ton of them for example Snapchat uh Snapchat was uh entered into a consent decree in 2014 with the FTC it was all about whether or not your snaps remained private or whether they could be screenshotted it turns out that they could and they were being saved and Snapchat uh advertised that all of them were disappearing and as a result the FTC um entered into a consent agreement to basically say that was false and misleading in 2017 Uber was settled with the FTC regarding allegations of improperly storing consumer data I as the lawyer May understand the standard the standard is to reason employ reasonable security measures to protect consumer data but unless I ask questions how are you storing that what are the security measures that you're employing I don't quite understand how I can best advise them the job of the lawyer is to fuse the law with the facts to provide advice and critical to understanding those facts is the technology Facebook most recently had the largest FTC settlement in history five billion dollars for repeated attempts or repeated violations of consumer data some of you might remember the Cambridge analytica Scandal that was third party consent to sharing data there was an opt-in app opt out agreement that turns out Facebook was ignoring now we are also at the dawn of artificial intelligence and artificial intelligence is extremely powerful but it's also extremely data intensive and so as a result the data makes a huge difference in how the AI is ultimately programmed and how it works and so the FTC has expressed a lot of concern over the biases that exist within AI the transparency of the data the accuracy of the buy of the AI models and finally the security of the data as a result of these dangers uh you see the uh where is it yeah as a result of these dangers um the Department of Defense actually recently released I don't know why I have this big thing in the way um the the department that's released the five ethical AI principles or AI ethical principles on how they will develop the AI um included within those we'll talk about later is responsible that they have to be Equitable they have to be reliable they have to be governable and within those uh after right after that or more recently I should say um the um Department of State actually released they doubled down on that and made a declaration a political Declaration on uh the responsible military use of artificial intelligence and autonomy um now uh as a result um when you look at these are the examples that they have as a result what we can see practically is that attorneys have sort of a really good incentive to understand the technology to make sure that they can actually do a good job for their clients but more importantly for this particular presentation there's a second reason that you might be interested and that's because many of you either are now or will be soon subject to the ABA model rules of professional conduct now so as a result what we'll do is we will talk about these rules and then my job could be done but I'm a good ethics advisor and so as a result I will provide you a little uh bit of tips and then dive in a little bit into the technology itself to help do some building blocks or create some building blocks for you to understand as you press forward now I I hope this audience is one that has gone with me so far you sort of acknowledge yes I get it colonel Goins this is a good idea uh so tell me where my duty comes from um and if that's the case fantastic uh please sit back enjoy use these rules as a way to reinforce uh if you are on the other side and don't think the actual Duty exists but by all means give me some time to try to convince you in either event if you're in either Camp I just hope you use the opportunity to to use these rules to learn these rules to then spread uh this message across the across the lawyer community that we cannot turn a blind eye towards technology that we have to understand it in order to be good attorneys all right so let's start with the ABA model rules now almost if you haven't been to an ABA ethics model rules sort of presentation you might not know but they always begin with model rule 1.1 competence so uh not to be um cliche but we will also begin with competence and if you read the rule for uh on competence does a lawyer shall provide competent representation to a client competent reposition requires representation requires the legal knowledge skill thoroughness and preparation reasonably necessary for the representation now it's important to focus on that last section uh reasonably necessary preparation reasonably necessary for the present representation this alone should help you see that in order for me to be reasonably prepared and to provide uh the necessary preparation for representation I probably need to understand my client and what my client's goal is that said the model rules were actually amended in 2012 they added comment 8 under the maintaining competence heading and in it it says to maintain the requisite knowledge and skill a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology engage in continuing study of education and comply with all continuing legal education requirements to which the lawyer is subject the part that I want to focus on is this including the benefits and risks of associated technology with relevant technology now we would all agree that comment 8 is clearly focused on the use of technology in the practice of law this is sort of how you conduct your actual legal practice from how you email to how you handle information etc etc um so it can go from anywhere from how you uh maybe store your information on shared drive to who you email and how you email to how to remove a kitten filter during a zoom hearing but there's no so there's no question that includes this knowing what security measures that you should actually employ and what may exist on a shared hard drive potentially using a VPN operating a wireless network or even a client order on your website so this rule no question addresses that particular practice but it's also been interpreted broadly by states to include things outside of that here uh California state opinion said that legal rules and procedures when placed alongside ever-changing technology produce professional challenges that attorneys must meet to remain competent what I want to focus on is when placed alongside ever-changing technology in other words there are practices and procedures legal rules that actually might be different as a result and your interpretation of them might be different as a result of the new changing technology now the court in that particular case and courts that have interpreted many of them incorporating this California State Bar opinion haven't created a set of rules or a standard yet at this point because they said technology is changing so much it'd be very difficult for them to do that but the answer here is what we should take from this rule is the fact that you should at the very least try to understand the technology that you're advising on um because it actually makes a difference and you need to do that before you start actually providing the advice now this particular rule as I said was uh adopted or amended in 2012. since then 40 states have adopted it so nearly all of them only 10 remain the holdouts um and so here's an example here's where you can see your state and when it was actually adopted you'll see uh California they like the rules so much they did it twice um not really in 2015 they did it through that State Bar opinion and then 2021 they expressed and so uh this is an example if you are not on this list well just know it's probably only a matter of time when I started giving this brief back in 2016 that number was somewhere around 25. so it's increased quite dramatically so that's rule 1.1 the second rule is
Rule 1.3 that's diligence the rule states that a lawyer shall not or shall act with reasonable diligence and promptness in representing a client if you don't understand the technology we usually this this rule is always focused on uh but second part the promptness and representing the clients all about returning phone calls and making sure you're staying in contact with them but you also have to be reasonable diligence right you have to have reasonable diligence and when you think about it if you don't understand the technology how do you know the things that you need to be diligent about and how do you know the things you don't need to be diligent about the next one is perhaps my favorite this is Rule 2.1 advisor it says in representing a client a lawyer shall exercise independent professional judgment and rendered candid device and rendering advice a lawyer may not refer or may refer not only to the law but to other considerations such as moral economics social political factors that may be relevant in a client situation all right this is important notice the rule is called advisor it's not called like legal advisor it's called advisor in other words the law the rule contemplates that we go beyond just seeing this simply being encyclopedias of legal knowledge especially when law is literally at their fingertips our job is to go beyond the law it's to give them sort of more comprehensive view taking in a lot of different factors and giving them advice considering all those factors and so when we think about all those different things we probably want to acknowledge that understanding the technology and the potential implications of that technology absolutely falls into the Ambit of being an advisor again the job of a lawyer is to fuse the law with the facts in light of the domain they're operating in uh but the there's a comment within there comment number two that says advice uh couched in narrow legal terms may be of little value to a client especially where practical considerations such as cost or effects on other people are predominant purely technical legal advice therefore can sometimes be inadequate well if we again purely technical legal advice would for me to Simply say oh well it can't be indiscriminate whereas when I actually start to understand the technology I could provide real meaningful advice it's the attorney's job to advise to dive in understand how it works and see what kind of implications exist now some of you might be saying but what if my client only asks for narrow legal advice as in they just want to know the rule they will apply it and those clients do exist it's fascinating uh the rule actually addresses that in comment three it says a client May expressly or impliedly ask the lawyer for purely technical advice when such a request is made by a client experience and legal matters the lawyer May accept it at face value but here's the key when such a request is made by a client inexperienced in legal matters however the lawyer's responsibility as advisor may include indicating that more may be involved in strictly legal considerations in other words you have an obligation to get a sense to gauge your clients ability to understand not only the legal advice but also the potential other considerations that might exist and in doing so you have an obligation to inform them if you don't believe that they are aware of those other issues these may include legal and policy considerations they may include moral ethical considerations but unless you know the technology you will not know whether these other issues are implicated now those three rules by themselves would probably be good enough but never one to settle for just good enough I will go on there's another ABA rule that indicates that you need to be technically competent a new rule model rule 1.6 a confidentially confidentiality of information a lawyer shall not reveal information relating to the relating to the representation of a client unless the client gives informed consent now we all probably are familiar with this attorney-client privilege for this brief uh I think what we're sort of focused on is the idea of these leaking of potential emails or information through computer mechanism right through technology uh what's interesting is that the standard is that an individual that you have to exercise reasonable care um it's Universal in all states that have addressed it when they've interpreted they say uh well determining whether or not somebody leaked information through let's say a computer system we look at whether or not whether or not they exercise reasonable care and what do we mean by reasonable care well fortunately we have another California ethics opinion seems like they're on the Forefront of this from 2010 and they've actually articulated nine different it's a bit of an eye chart nine different uh factors that you would consider when determining and not determining whether or not an attorney exercised do care a reasonable care and so for example the nature of the technology and relationship to the traditional counterparts right sending in the mail versus email and so they would say well it's normal for you to expect the same amount of security with mail as you would with email and so therefore it's more reasonable um the one I want to focus on is this fourth one the lawyer's own level of technological competence and whether it's necessary to consult an expert in other words you don't get a fast because you don't understand computers right you don't get a pass to say well I don't know what a VPN is I've never done it before why would I need to do that the actual uh State bars have put an onus on you or an obligation on you to actually figure it out and if you don't or you can't figure it out to go hire somebody who knows what they're doing okay so uh the state bars and the ABA are not taking this or they're making this matter pretty clear they're not taking it lightly they're saying you have to get technical right so those are the ABA rules um now we're also here in sort of somewhat of an international law conference and so I wanted to bring some international law into this uh there's also another area of international law that does give rise to this potential issue and that comes from the talent manual now one disclaimer on the talent manual if you've ever studied it understand the talent manual is merely uh sort of a distillation if you will The Lex Lada of what the law is currently it is not actual international law itself but I use it partially because I think it's helpful it's a good distillation but also because of its obvious tie-in to this particular presentation of cyber and so um for you students out there I'm not saying the talent manual is international law but it's a good articulation of it okay and so in this case I want to focus on two Talent manual rules rule 85 is the first one it's the articulation of command responsibility um it says the summary is simply that Commander's another superiors are criminally responsible for ordering cyber operations that constitute war crimes which is pretty much an accurate distillation of what the what the law a is not said a note 10 actually says the technical complexity of cyber operations complicates matters commanders are other superiors and the chain of command cannot be expected to have a deep knowledge of cyber operations to some extent they are entitled to rely on the knowledge and understanding of their subordinates nevertheless the fact that cyber operations may be technically complicated does not alone relieve commanders or other superiors from the responsibility for exercising control over their subordinates in all cases the knowledge must be sufficient to allow them to fulfill their legal duty to act responsibly to identify prevent or stop the commission of war crimes now so the rule knowledge is that this is a complex area technology is complex and cyber operations are complex but the commanders have to have technical competence at least sufficient enough to know when it could potentially be a worker and if the commander has the responsibility shouldn't you as the advisor to the commander have that same or similar technical competency or at least enough that you can talk the same language with the commander another rule from uh Talon 2.0 is Rule
110 uh the summary of which articulates the customary international law provision of a Weapons review so the summary cyber weapons must be reviewed for compliance with international law now again note 9 provides a little bit of guidance for us the determination of the legality of a means or method of cyber warfare must be by reference to its normal expected use at the time the evaluation is conducted any significant changes to the means or methods necessitate a new legal review so that means we have to potentially look at every cyber operations Twice first when the Weapons review is being conducted and when you conduct the Weapons review you need to be able to understand the means and methods how it's actually operating to be able to review whether or not it is legally permissible and second you also need to have enough know-how on the technology to understand when it changes so that it necessitates another subsequent legal review so I believe that these six rules taken together give rise to an obligation a duty uh that all lawyers must comply with or at least the ones acting in National Security and so here is essentially my thesis to be competent as a national security law practitioner you must maintain a working understanding of the relevant technology and its advancement in the relevant domain in other words you have to get educated on the technology this includes other domains both space cyber uh land as well you know air as well as other methods of warfare to include autonomous weapons artificial intelligence Quantum Computing and the like now I do say I do agree it is a big ask it might not be in your wheelhouse but it's not unfair and it's absolutely necessary for us to be good attorneys as I said I could stop there I mean they would be an okay presentation but I'm going to keep going it's like I said I am a full service ethics and we've got some time remaining now what we're going to do is now we're going to walk through some steps some tips if you will on how to actually fulfill your duty and I have a five-step process try to get to 12. I couldn't a five-step process on how to fulfill your duty and so let's walk through these together to figure out exactly a sort of a method you can use to become a good National Security attorney first you want to understand your clients goals step one understand your clients goals understand what they want to do and why they want to do it what does that mean well you probably want to understand the mission right that's probably your first goal understand the mission what the client wants to do how can you do this well in the National Security realm or at least in the dod the first step is to read the relevant policy documents those include the dod right in the dod with the national defense strategy we have the the Nationals the dod cyber strategy the National Security strategy the National military strategy the Cyber deterrent strategy and all uh cyberspace operations and all classified Opera classified regulations so we want to read all of those things why because they help you understand the larger strategic goals of your leadership okay and once you do that then um oh yeah so there's the national Striker strategy in uh the AI realm uh we've got the five principles we talked about that responsible reliable Equitable governable and traceable uh we also have DOD directive 3000.09 was just re-released and it's all about uh autonomy and weapon systems so you probably want to read those relevant things in order to start to understand exactly what are the things that DOD is focused on um when it comes to responsible or when it comes to those five principles responsible means uh remaining responsible for the development deployment and use capabilities so in other words somebody in charge Equitable means we want to minimize intended bias we'll talk about unintended bias I should say we should we'll talk about that later it has to be traceable which is uh we want relevant Personnel to possess an appropriate understanding of the technology this is sort of a bonus rule so if I had a rule seven that would sort of say that you need to be involved this is a good one right they're you're not you're not going to work on AI unless you understand the technology and understand the development process and operational methods implicated reliable we want it to be subject to testing and assurance that it's actually doing what we say it does and finally governable the ability for it to detect unintended consequences and to be able to actually disengage it if we need to so this um the nice thing about actually doing these documents by the way reading these documents is that it allows you to actually look up terms and private right when you start reading this it's a new area you might be like what the heck is that right and so you want to look it up and it allows you to save a little bit of face and maybe get a little smart on these before you start to engage your clients um next you probably want to read your clients authorities if you guys know what authorities are generally speaking they're they're the story passed down usually from the president down to you that gives you the authority to act and do what you need to do and so there are oftentimes very limited or they can be limited particularly in the Cyber realm and so because if you get familiar with the authorities or the Roe you are better able to actually tell the commander hey this doesn't meet the Roe or this does meet the Roe okay this meets The Authority or we have to escalate this because we need to go through a different process through the authorities now most likely your your office has a binder with all these documents in it if it doesn't create one okay because you want to get good at understanding those things uh now you want to understand uh you missed this one I don't know what what happened to that slide um so the next thing we want to understand is your uh where am I at yes you want to read the authorities and you want to understand your client's goal and what they want to do all right there we are on step two sorry so next we want to understand the terminology now the terminology uh every particular area has its own way of speaking and you want to understand a little bit about their own language so in cyber we talk about things from protocols to networks to IP addresses to this tcpip protocol to Red spaces versus blue space encryption private versus public key certificates payload router versus switch attack we have the method the mode the path the pattern the signature the surface air gap Blacklist you get it it goes on and on there's a lot of terminology and so getting familiar with those areas can really help you start to understand what people are saying and help them explain to you how it works so red Space versus blue space for example if an operator starts talking about going into the red space you should probably know what that means and blue space is the area that the U.S government protects and its Mission Partners protect while redspace is the area operated or controlled by the adversary awesome um the next thing I want to talk about and this is I'm not a zealot on this but it's something that I think is interesting is uh autonomy versus AI oftentimes we use these interchangeably and they are not interchangeable okay um AI is a subset of automation or autonomy AI refers to the ability of machines to perform tasks that normally require human intelligence for example recognizing patterns learning from experience drawing conclusions making predictions or taking action whether digitally or through smart software behind autonomous physical systems so oftentimes the artificial intelligence is the brain of the operation of the autonomous system but it doesn't have to be autonomous systems just mean that they are they operate with some varying degrees of human intervention that's it right so your cruise control is autonomous right most of them are now becoming AI as well because they're equipping AI engines in them but they are generally autonomous okay they operate with very little human interaction we have we set it and we forget it and so um the the autonomy just refers to anything that operates with uh varying degrees of human intervention from human in the loop actually doing it to human completely out of the what we call a fully autonomous system so don't confuse the two and don't use them interchangeably now ai again has its own language right it talks about forward chaining versus backward chain that's how you train IT training the system a neural network which we'll talk about deep learning and the black box issue as you get to know this technology and this terminology you'll start to figure out exactly what these terms mean helps you become part of the conversation we also want to keep a running list of acronyms uh anybody new to the military understands we love our acronyms well that's true about other things right in the dod we have I just used one uh Department of Defense we have SDI tdys PCS Les those are the the normal Personnel ones we've got much more complicated ones right and the Cyber we've got GUI scada Land versus Wan tcpip DDOS and IEEE ISP IPS VPN apt Oco dco I can go on and on right we have a lot of those just like the terminology we have our we love our acronyms so get a running list of them and it's okay if you have them in your book your binder that lists all those and you can go back and look at them in AI we've got uh NLP nludl RPA ML and VA right I think the list goes on and on now that said we do have a little bit of help for you um so my colleague Jeff biller at the Air Force Academy along with our new colleague uh Professor uh Aubry Davis actually recently published this Air Force Cyber Law primer which actually does this for you in the first half of the book it explains as a glossary with all these things related to cyber um are we going to do eventually an artificial intelligence law primer we'll see doesn't seem like you guys are clamoring for it so um we won't waste our time but the point is uh you you have some help out there there is help to actually figure out how this stuff works uh the next thing is to take orientation courses oftentimes a lot of your commands will actually have uh you know uh operators courses right so I know space 100 exists out in space command you've also got cyberspace 190 that you can enroll in for cyberspace operations and at the AI accelerator at MIT they actually offer courses as well on AI in other words you can enroll in these courses and oftentimes as lawyers they'll let you just sit in the back you don't have to take up a sleep a seat you can actually just sit in the back and watch them and you can get educated on uh what these are these are the entry-level courses for their operators so you actually end up getting it dumbed down to you it's not just something that it's on an upper level course you dumb down to you to the point that you can understand exactly how things work and so that can really help you save some face and start to understand the technology on a new level now after you've done that now comes the hard part we want to start understanding the technology we've got the terminology we've got the acronyms we understand the Strategic documents now it's time to actually dive in and understand the technology by creating building blocks understanding the building blocks and then potentially diagramming it if that helps you okay so I'll give you some examples so here's an example of a network right many of you probably understand what a network is but if you don't that's okay just go with me so this is just an example of what a network is okay it's an introduction of set devices capable of communicating we've got two types of devices right we've got hosts endpoints so computer servers and printers on one side and they are linked together through connecting devices routers switches Etc now they can vary in size we can have a lan or we can have a weigh-in but the general speaking is land is the small area right it's like Duke Law School has a land and then the wider one is a larger group geographic area covers all of North Carolina okay so this can help you sort of see okay I get how these things work together then once you get the building blocks you can start to see how the pieces work together in order to accomplish the objective now it doesn't have to be too complicated okay this is the actual original arpanet so the original internet this is what it looked like uh and this is the the topology of that is what we call that Network topology of how it all worked together you can be far simpler okay this is probably good right and it can walk you through what exactly is going on right you've got hosts at the top uh that are connected to the internet through a router and then down here you've got a couple of others so these uh smaller sections that not connected to the internet would be considered lands the whole thing in total would be considered a Wan and this can help you figure out exactly what's going on and once you figure that out one thing that's missing by the way out of this is a modem I don't have a modem on there a lot of you people at your your house you probably have a modem which is what the device that converts the incoming connection usually a coax or DSL into uh something that you can use ethernet that you can actually turn into a wireless network or you can plug your computer in and actually work okay um so that's not on there but generally speaking these are all uh showing you how a system works and if you want to extrapolate this across the board you can and it can become bigger and bigger but it's the same devices overall then once you do that you want to start identifying any gaps in your understanding and research one way you can do that is go through your topology which you just created your diagram and list out potential terms that you don't understand that you need to dive into okay and so we talk about okay what's a node what's a network adapter what a packets server router switch Etc now as I said this is called the network topology you might wonder okay well then how do these computers talk to one another well they do it through uh the tcpip protocol and packets so that's the zeros and ones flowing across so it's sometimes nice to walk through that just to see how it works so here's the tcpip architecture it's a five level a five-step process five layers of PCP just kind of helps you understand how the computer works and you'll see why I'm giving this to you in just a second so first you start with the application this would be like a message if you will it could also be your uh like your Safari your web server or web server and what it does is it decides to send some data or it wants to receive data it starts at the application levels that's the actual software it then sends it down to the transport layer the transport layer what it does is it appends the packet with more information we call this encapsulation so think of it like an envelope it's going to put it in an envelope and lock up the envelope on the top of that envelope it's going to write a protocol is TCP it's going to write uh destination Port where does it need to go Port 80 is the web server traffic and it's going to say where the source Port came from where did it come from on the computer after that it's going to go down to the network layer where it's going to append the IP address it's going to say here is the destination IP here is the receiver or the The Source IP okay so you can come back we then convert IP addresses into Mac addresses do you know what a MAC address is anybody yeah that's the physical address right every device has its own so we do that at the data link stage that's where it appends the MAC address a unique one unique to IP addresses can be duplicated across the world um because you have lands right not lands uh but the Mac addresses are not they are all unique and so as a result you end up with a longer packet then in the physical it goes down oh I missed it it goes down to the zeros and ones okay and these are the things that are actually sent across the wire on off on off on off and ultimately get to the other side of the equation and the other it works in Reverse going back up now the reason the protocol is on there is because I wanted to chat about it for a second so if a operator comes to you and says Hey listen this is what I'm going to do I'm going to do some uh packet spoofing to figure out where the open ports are and then I'm going to do some uh sorry packet crafting to test the firewall and then once I figure out where that is I'm going to inject some malicious code and we're going to figure out and take control of the computer you might not know what that means but this can help you okay what the what the operator is saying is that he can manipulate packets or sure you can manipulate packets that actually change the source so it looks like it's coming from somewhere else so when the computer sees it it avoids detection so once he does that he avoids The Source uh he can then figure out what ports are available so he can start going in once he figures that out that he can pack it cracked packet crafting is where you actually send messed up packets and you see how the firewall reacts to it if the firewall kicks it well then you know okay they've got security there but what you can do is by messing with the the destination or the source you can constantly avoid detection and constantly probe this particular firewall which is operating on the host computer to figure out exactly where the flaw or the vulnerability exists once you do that then you've got your path and you can actually get in and so you might say to him well great thank you I understand what you're saying now I need to go back and check to see if it meets my authorities and whether or not it meets International and domestic law okay now uh I think oftentimes we might not recognize the power that these people have uh so a story from my life one time I was traveling in an airport on official Duty and I happen to be traveling with the Cyber operator and so I I was sitting down we were waiting for our plane I took out my computer I opened it up I connected to the wireless network at the airport the free one and he looks at me and he says uh what are you connected to and I said oh I'm I'm connected to the wireless network he's like does that concern you I said well no I don't have anything to hide and he's like okay interesting um you're not connected to a VPN are you and I said no I'm not and he's like all right so he takes out his computer opens it up and he's able to see uh all the networks that my computer trusts and what that means my computer actually reaches out and says does this network exist Does this network exist is this network here if it is it connects automatically if it's not then it just says okay never mind I won't try to connect while he can collect that information and then what does he do with it he can pretend to be that particular wireless access point and then he can connect to the internet from his so to me it's transparent I look like I'm connected to that and I get internet access the entire time uses the packet sniffer he can see every single packet going over my computer and he showed me and it was kind of creepy now that's why we should always use vpns right vpn's encrypt that's why a lot of you know places are going to encryption where we encrypt from end to end so even if he sees the packets he has no idea what they are until we get to Quantum Computing and then they can just be encrypted maybe we'll see so even times of what we think oh we're safe we're just an airport everything's good um maybe we shouldn't be connecting to free networks and if you are use a VPN so when I set up my wife's computer she has her own law practice uh I said okay sweetie what we need to do is we need a VPN I don't know much but we need a VPN and so in compliance with the rule I did hire an expert if the expert came in and did all this for us so all right let's talk about AI so when we think about AI when we think about building blocks of AI uh we first probably it's probably beneficial for us to look at traditional programming okay if you have a program before you probably understand the basics of program right what do we do we we take a mental model that we have of how an algorithm should proceed we then program that into the computer through the handcrafted model and then the user provides both the data and the model we provided we hit enter it computes and gives us a result okay so by way of example let's say we want to create a program that can actually detect differences between uh differences between a combatant whether it's a lawful combatant or whether it's a civilian okay an example of traditional model of programming would be we type in let's say four questions and we say all right does the person wearing a fixed distinctive side recognizable at a distance yes or no yes uh second question are they where are they carrying their arms openly yes or no and through that after we answer all those questions we can hit enter and we ultimately get a result the result being yes or no okay that's an example of computer traditional computer programming and as you can tell it's really limited to the capacity of our brains AI flips this model a little bit on its head what it does is it largely gives the model creation over to the computer in other words what we do is we take data data that we know so sample data and then we have an expected result we fixed expected result and we provide that to the computer the computer then analyzes all those results and all that data and gleans from that data a model of what their necessary things are and then we can feed that model back into the system and with new data and then what it can do is use the model to figure it out okay now depending how you actually create this model depends largely on which type of AI model you're using and there are two main ones the first one is machine learning and the second one is deep learning deep learning is essentially a just sort of an exponentially a complex version of Deep learning as you see here what we do is in the machine learning is we do some feature extraction that requires a little bit of a technical capability from an individual from programmer to actually look at the potential features I'll explain this in a moment and what I mean and then ultimately the computer just does some evaluation of building the model based on those features that you've provided okay um deep learning on the other hand actually layers different algorithms on top of one another so that you don't actually have to do the feature extraction it can do the feature extraction so let's look at an example let's say for uh for example that I wanted to go back to my example of the the combatant versus civilian analysis and a machine learning is really good with structured data in fact it needs structured data what do I mean by structured data well imagine like a imagine like a Excel spreadsheet and on the top it's got all these different attributes right so wearing a sign carrying arms openly red headed tall right has all these different things those are all those are the best things um all I'm carrying my arms openly um so all the things and then we have a bunch of data below it we feed that into the computer and what it does with structured data it's got the feature instruction it can tell us what things are important and what things aren't and so it I can actually tell you all right so this particular aspect is important whether they're carrying their arms openly is important so when I do the evaluation I'll tell you I'm only as a computer going to focus on these four things okay uh the rest of it's just nonsense so it can help us there can also help figure out where the inefficiencies are deep learning on the other hand is no structured data this is where I can literally feed a pictures into it and it can figure out what's important about the picture it can figure out deduce what features are important and then from there it can actually conclude whether or not it is in fact um uh you know a combatant or not right and so in this case the Deep learning are the ones that you probably hear of those are the ones that are more popular machine learning is often used for like statistical modeling like Financial stuff that's where it's most most heavily used you'll see in just a second I'll talk about the models um and you'll see the Deep learning is really one by itself the other models are machine learning and so it's a lot of evaluation of large massive amounts of data but it's structured data we get to deep learning it's all about unstructured data and so I can tell you a lot about it okay now um the the idea would be that once you've created this AI you can then put that brain into an autonomous vehicle and it can go out and actually engage uh with targets and it would be able to do it all by itself assuming that it is of the requisite reliability okay now um some that you might have heard of uh before that have actually been um that have made the news uh there's actually the the system that uh that they developed that could actually detect your sexual orientation it actually came out to be 91 effective reliable you've actually detect it 91 reliably uh whereas the best human was around the 60 mark uh and so that was ultimately um uh shut down for ethical concerns uh as you could imagine and so as a result um uh it's no longer in existence now that said uh you could there are some issues that can pop up with AI and so it's sometimes sometimes helpful to look at those when we look at the the this particular chart the ones on the top are things that actually exist in the training module module uh the or throughout the process the bottom ones are the ones that we can actually uh suffer from an external threat and so if you start with the data right so you can have data bias I'm sure you're you're familiar with this right if the data is biased so too with a model and so oftentimes what we do is we use data it's data intensive we need a massive amount so uh you're talking millions and millions and millions of Records to go through a deep learning uh neural network and so as a result you need a ton of it well where do we get that we usually get that from history right historical records when we do that what we're unfortunately doing is whatever bias we had we are baking in to the system and so by way of example uh you know Amazon actually had about a hundred thousand uh applications resumes that they had available to them and they were way behind on evaluating all of these so they decided to create a structure an algorithm an AI that could actually evaluate the resumes and then shoot out the best candidates for interview and what they found out was that uh women were actually downgraded as a result anytime they use the word women's for example saying like the women's leadership conference uh it would actually be downgraded they penalized graduates who were from two all women's colleges and they prioritized verbs that were more found more commonly found in men's resumes like the word execute and so after they realized this they immediately shut it down because they said okay it turns out that the data we provided was biased and therefore the results are biased we can also have table uh label leakage that's where you have data unfortunately uh let's say the data is not labeled sometimes I can get into the system It ultimately causes the computer Haywire I can have label specification where somebody just puts in the wrong thing right it's a car no it's not as a skateboard improper and complete training obviously I think we can figure that out does misinterpretation of the results or data shift so data shift data set shift is where uh the the new data is presented in a different way and so as a result when the AI looks at it it doesn't quite know what to do and so it will ultimately lead to improper results okay but you can see at each three of the stages through the data collection through the model and through the deployment we can have potential issues uh one thing that we do want to talk about is with the black What's called the black box issue the Black Box issues this idea that we're gonna largely we can see the input layer we can see the output layer but we don't know what goes on in between right through the neural network it's just it's not transparent to us it's completely opaque and so as a result the black box is this idea we don't know what things the computer is relying on and to demonstrate this a bunch of researchers actually did the husky wolf uh programming you might be familiar with this you might have seen it they basically tried to get a program to learn the difference between huskies and wolves now to be fair to them they were actually trying to trick the machine so it was giving them bad data on bad data on bad data just to demonstrate that at the end it was actually reliable you see it's only got two wrong but that's of course extrapolated it was about 90 effective then they asked the computer what it focused on it focused on the snow it said wolves have snow in the background Huskies because they're pets don't and so it shows you that sometimes the computer can be completely off from where we think uh that we think it's focused on oh it's focused on the nose length in the eyes no snow okay all right and this is just a taste of the technology my goal for you is to dive deeper to figure out exactly what the technology how it operates to take these building blocks extrapolate ad complexity and build all right step four we want to engage the client ask questions even if they reveal your ignorance right when you said x what did you mean when you what do you what can you read well what can I read to potentially understand this capability do you have a sheet of acronyms or vocabulary to go to on earlier ones um what does it do how does it do that where do you get the training data did you sift through the training data to determine if there's bias that exists have you proven the model for accuracy how accurate is it how do you know that force them to diagram or explain it to you if you don't quite get it don't be afraid to Simply ask questions and then uh here's an example of a diagram that they could use you can also so this is a the Cyber kill chain it's just an example there's plenty of others that exist out there it's this is not the official one or anything and then AI models I told you I'd show this 10 generally accepted AI m
2023-04-17 03:46